[nSLUG] Looking for a DNS secondary partner

D G Teed donald.teed at gmail.com
Tue May 5 10:13:13 ADT 2009


On Mon, May 4, 2009 at 3:12 PM, Ian Campbell <ian at slu.ms> wrote:

>
> Skimming the thread again, I see nobody mentioned the allow_url_fopen
> option for PHP. It will disable that (frankly idiotic) default
> behaviour where PHP lets include/require/file_get_contents etc. open
> remote urls if you set it to false in php.ini.
>

Thanks for mentioning this option.  Worthwhile for anyone to know about.

After we found the problem, we implemented that setting,
also allow_url_include as well.  I agree it is a stupid default
setting, and we'll add it to the things we have to change after an install.

You can write secure code in any language, you can write insecure code
>  in any language. PHP doesn't make it significantly easier to shoot
> yourself in the foot than perl/ruby/python/C/whatever if the coders
> aren't going to validate input to begin with.
>

The problem is php provides a low entry bar for novices
to try a few lines of code.  The file we found the problem in
was using php includes in place of anchors and a little copy
and paste.  There was no other purpose for the
php code being used - very rudimentary level of knowledge
required.

--Donald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/mailman/private/nslug/attachments/20090505/c3620a15/attachment.html>


More information about the nSLUG mailing list